[cap-talk] Reference count based garbage collection seen as flawed
norm at cap-lore.com
Sat Jan 7 17:24:34 PST 2012
On 2012 Jan 2, at 23:06 , Jonathan S. Shapiro wrote:
> If my view is correct, the architectural implications are dire:
> Persistable objects must consist of homogeneously allocated storage.
> The persisted graph cannot admit cycles.
> The low-level operating system must have a richer semantic understanding of persistent objects than KeyKOS admitted. In particular, a clear distinction is required between containing objects and contained (constituent) objects, and the relationship between a contained object and its container must be exclusive.
> In consequence, the notion of extensibility in capability systems is called into question. The denial of service problem is actually not the first issue pointing to a problem; it is the second. The first hint of a problem is the need to conservatively downgrade entry capabilities.
> In consequence, it is unclear whether the KeyKOS approach to persistence and restart is sustainable in a viable capability architecture. With some reluctance, I believe that the answer is "no".
> If my view on  is correct, then the secure restart problem in pure, protected capability systems remains unsolved, and requires our collective attention.
I assume that ‘persistable’ means turned into pure data outside the system confines, so as perhaps to be able to be reinserted into another like system.
This would include reinsertion into the same system later.
Point number 2 is otherwise contradicted by the fact that Keykos ‘persisted’ objets with reference cycles across checkpoint restarts.
I address the extraction problem here without solving it here:
I extol some advantages of non extractability.
Yet some sort is sometimes necessary.
Regarding point 3, some formal theory of ‘constituent’ objects seems indeed to be required.
I have not found such a theory that I could remember from one day to the next.
Thus I have no proposed solution even outside the kernel.
Here is a humorous note on the subject:
I do not understand what “ conservatively downgrade entry capabilities” means.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk